sm-crypto-v2 1.3.0 → 1.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sm-crypto-v2",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "description": "sm-crypto-v2",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/pnpm-lock.yaml

@@ -1,4 +1,8 @@
-lockfileVersion: '6.0'
+lockfileVersion: '6.1'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
 
 dependencies:
   '@noble/curves':

package/src/index.ts

@@ -1,3 +1,3 @@
 export * as sm2 from './sm2/index'
-export * as sm3 from './sm3/index'
-export * as sm4 from './sm4/index'
+export { sm3 } from './sm3/index'
+export * as sm4 from './sm4/index'

package/src/sm2/ec.ts

@@ -1,89 +1,10 @@
 import { weierstrass } from '@noble/curves/abstract/weierstrass';
 import { Field } from '@noble/curves/abstract/modular'; // finite field for mod arithmetics
-import { hmac, sm3 } from './sm3'
-import { utf8ToArray } from '@/sm3';
-import { concatArray } from './utils';
 import { ONE } from './bn';
-
-/**
- * 安全随机数发生器
- * 如果有原生同步接口，直接使用。否则维护一个随机数池，使用异步接口实现。
- * Web: webcrypto 原生同步接口
- * Node: Node v18 之前需要引入 crypto 模块，这里使用异步 import
- * 小程序：异步接口
- */
-declare module wx {
-  function getRandomValues(options: {
-    length: number;
-    success: (res: { randomValues: ArrayBuffer }) => void;
-  }): void;
-}
-
-const DEFAULT_PRNG_POOL_SIZE = 16384
-let prngPool = new Uint8Array(0)
-let _syncCrypto: typeof import('crypto')['webcrypto']
-export async function initRNGPool() {
-  if ('crypto' in globalThis) {
-    _syncCrypto = globalThis.crypto
-    return // no need to use pooling
-  }
-  if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2) return // there is sufficient number
-  // we always populate full pool size
-  // since numbers may be consumed during micro tasks.
-  if ('wx' in globalThis) {
-    prngPool = await new Promise(r => {
-      wx.getRandomValues({
-        length: DEFAULT_PRNG_POOL_SIZE,
-        success(res) {
-          r(new Uint8Array(res.randomValues));
-        }
-      });
-    });
-  } else {
-    // check if node, use webcrypto if available
-    try {
-      const crypto = await import(/* webpackIgnore: true */ 'crypto');
-      _syncCrypto = crypto.webcrypto
-      const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
-      _syncCrypto.getRandomValues(array);
-      prngPool = array;
-    } catch (error) {
-      throw new Error('no available csprng, abort.');
-    }
-  }
-}
-
-initRNGPool()
-
-function consumePool(length: number): Uint8Array {
-  if (prngPool.length > length) {
-    const prng = prngPool.slice(0, length)
-    prngPool = prngPool.slice(length)
-    initRNGPool()
-    return prng
-  } else {
-    throw new Error('random number pool is not ready or insufficient, prevent getting too long random values or too often.')
-  }
-}
-
-export function randomBytes(length = 0): Uint8Array {
-  const array = new Uint8Array(length);
-  if (_syncCrypto) {
-    return _syncCrypto.getRandomValues(array);
-  } else {
-    // no sync crypto available, use async pool
-    const result = consumePool(length)
-    return result
-  }
-}
-
-export function createHash() {
-  const hashC = (msg: Uint8Array | string): Uint8Array => sm3(typeof msg === 'string' ? utf8ToArray(msg) : msg)
-  hashC.outputLen = 256;
-  hashC.blockLen = 512;
-  hashC.create = () => sm3(Uint8Array.from([]));
-  return hashC;
-}
+import { randomBytes } from './rng';
+import { sm3 } from './sm3';
+import { hmac } from './hmac';
+import { concatBytes } from '@noble/curves/abstract/utils';
 
 export const sm2Fp = Field(BigInt('115792089210356248756420345214020892766250353991924191454421193933289684991999'))
 export const sm2Curve = weierstrass({
@@ -95,7 +16,9 @@ export const sm2Curve = weierstrass({
   n: BigInt('115792089210356248756420345214020892766061623724957744567843809356293439045923'),
   Gx: BigInt('22963146547237050559479531362550074578802567295341616970375194840604139615431'),
   Gy: BigInt('85132369209828568825618990617112496413088388631904505083283536607588877201568'),
-  hash: createHash(),
-  hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(concatArray(...msgs), key),
+  hash: sm3,
+  hmac: (key: Uint8Array, ...msgs: Uint8Array[]) => hmac(sm3, key, concatBytes(...msgs)),
   randomBytes,
 });
+// 有限域运算
+export const field = Field(BigInt(sm2Curve.CURVE.n))

package/src/sm2/hmac.ts

@@ -0,0 +1,76 @@
+import { Hash, CHash, Input, toBytes } from '../sm3/utils';
+// HMAC (RFC 2104)
+export class HMAC<T extends Hash<T>> extends Hash<HMAC<T>> {
+  oHash: T;
+  iHash: T;
+  blockLen: number;
+  outputLen: number;
+  private finished = false;
+  private destroyed = false;
+
+  constructor(hash: CHash, _key: Input) {
+    super();
+    const key = toBytes(_key);
+    this.iHash = hash.create() as T;
+    if (typeof this.iHash.update !== 'function')
+      throw new Error('Expected instance of class which extends utils.Hash');
+    this.blockLen = this.iHash.blockLen;
+    this.outputLen = this.iHash.outputLen;
+    const blockLen = this.blockLen;
+    const pad = new Uint8Array(blockLen);
+    // blockLen can be bigger than outputLen
+    pad.set(key.length > blockLen ? hash.create().update(key).digest() : key);
+    for (let i = 0; i < pad.length; i++) pad[i] ^= 0x36;
+    this.iHash.update(pad);
+    // By doing update (processing of first block) of outer hash here we can re-use it between multiple calls via clone
+    this.oHash = hash.create() as T;
+    // Undo internal XOR && apply outer XOR
+    for (let i = 0; i < pad.length; i++) pad[i] ^= 0x36 ^ 0x5c;
+    this.oHash.update(pad);
+    pad.fill(0);
+  }
+  update(buf: Input) {
+    this.iHash.update(buf);
+    return this;
+  }
+  digestInto(out: Uint8Array) {
+    this.finished = true;
+    this.iHash.digestInto(out);
+    this.oHash.update(out);
+    this.oHash.digestInto(out);
+    this.destroy();
+  }
+  digest() {
+    const out = new Uint8Array(this.oHash.outputLen);
+    this.digestInto(out);
+    return out;
+  }
+  _cloneInto(to?: HMAC<T>): HMAC<T> {
+    // Create new instance without calling constructor since key already in state and we don't know it.
+    to ||= Object.create(Object.getPrototypeOf(this), {});
+    const { oHash, iHash, finished, destroyed, blockLen, outputLen } = this;
+    to = to as this;
+    to.finished = finished;
+    to.destroyed = destroyed;
+    to.blockLen = blockLen;
+    to.outputLen = outputLen;
+    to.oHash = oHash._cloneInto(to.oHash);
+    to.iHash = iHash._cloneInto(to.iHash);
+    return to;
+  }
+  destroy() {
+    this.destroyed = true;
+    this.oHash.destroy();
+    this.iHash.destroy();
+  }
+}
+
+/**
+ * HMAC: RFC2104 message authentication code.
+ * @param hash - function that would be used e.g. sha256
+ * @param key - message key
+ * @param message - message data
+ */
+export const hmac = (hash: CHash, key: Input, message: Input): Uint8Array =>
+  new HMAC<any>(hash, key).update(message).digest();
+hmac.create = (hash: CHash, key: Input) => new HMAC<any>(hash, key);

package/src/sm2/index.ts

@@ -1,18 +1,19 @@
 /* eslint-disable no-use-before-define */
 import { encodeDer, decodeDer } from './asn1'
-import { arrayToHex, arrayToUtf8, concatArray, generateKeyPairHex, hexToArray, leftPad, utf8ToHex } from './utils'
+import { arrayToHex, arrayToUtf8, generateKeyPairHex, hexToArray, leftPad, utf8ToHex } from './utils'
 import { sm3 } from './sm3'
-import * as mod from '@noble/curves/abstract/modular';
 import * as utils from '@noble/curves/abstract/utils';
-import { sm2Curve } from './ec';
+import { field, sm2Curve } from './ec';
 import { ONE, ZERO } from './bn';
+import { bytesToHex } from '@/sm3/utils';
 
 export * from './utils'
-export { initRNGPool } from './ec'
+export { initRNGPool } from './rng'
+export { calculateSharedKey } from './kx'
 
-// const { G, curve, n } = generateEcparam()
 const C1C2C3 = 0
-
+// a empty array, just make tsc happy
+export const EmptyArray = new Uint8Array()
 /**
  * 加密
  */
@@ -20,11 +21,9 @@ export function doEncrypt(msg: string | Uint8Array, publicKey: string, cipherMod
 
   const msgArr = typeof msg === 'string' ? hexToArray(utf8ToHex(msg)) : Uint8Array.from(msg)
   const publicKeyPoint = sm2Curve.ProjectivePoint.fromHex(publicKey)
-  // const publicKeyPoint = getGlobalCurve().decodePointHex(publicKey) // 先将公钥转成点
 
   const keypair = generateKeyPairHex()
   const k = utils.hexToNumber(keypair.privateKey)
-  // const k = new BigInteger(keypair.privateKey, 16) // 随机数 k
 
   // c1 = k * G
   let c1 = keypair.publicKey
@@ -36,31 +35,40 @@ export function doEncrypt(msg: string | Uint8Array, publicKey: string, cipherMod
   const y2 = hexToArray(leftPad(utils.numberToHexUnpadded(p.y), 64))
 
   // c3 = hash(x2 || msg || y2)
-  const c3 = arrayToHex(Array.from(sm3(concatArray(x2, msgArr, y2))));
+  const c3 = bytesToHex(sm3(utils.concatBytes(x2, msgArr, y2)));
+
+  xorCipherStream(x2, y2, msgArr)
+  const c2 = bytesToHex(msgArr)
+
+  return cipherMode === C1C2C3 ? c1 + c2 + c3 : c1 + c3 + c2
+}
 
+function xorCipherStream(x2: Uint8Array, y2: Uint8Array, msg: Uint8Array) {
   let ct = 1
   let offset = 0
-  let t: Uint8Array = new Uint8Array() // 256 位
-  const z = concatArray(x2, y2)
+  let t = EmptyArray
+  const ctShift = new Uint8Array(4)
   const nextT = () => {
     // (1) Hai = hash(z || ct)
     // (2) ct++
-    t = sm3(Uint8Array.from([...z, ct >> 24 & 0x00ff, ct >> 16 & 0x00ff, ct >> 8 & 0x00ff, ct & 0x00ff]))
+    ctShift[0] = ct >> 24 & 0x00ff
+    ctShift[1] = ct >> 16 & 0x00ff
+    ctShift[2] = ct >> 8 & 0x00ff
+    ctShift[3] = ct & 0x00ff
+    t = sm3(utils.concatBytes(x2, y2, ctShift))
     ct++
     offset = 0
   }
   nextT() // 先生成 Ha1
 
-  for (let i = 0, len = msgArr.length; i < len; i++) {
+  for (let i = 0, len = msg.length; i < len; i++) {
     // t = Ha1 || Ha2 || Ha3 || Ha4
     if (offset === t.length) nextT()
 
     // c2 = msg ^ t
-    msgArr[i] ^= t[offset++] & 0xff
+    msg[i] ^= t[offset++] & 0xff
   }
-  const c2 = arrayToHex(Array.from(msgArr))
 
-  return cipherMode === C1C2C3 ? c1 + c2 + c3 : c1 + c3 + c2
 }
 
 /**
@@ -75,7 +83,6 @@ export function doDecrypt(encryptData: string, privateKey: string, cipherMode?:
 export function doDecrypt(encryptData: string, privateKey: string, cipherMode = 1, {
   output = 'string',
 } = {}) {
-  // const privateKeyInteger = new BigInteger(privateKey, 16)
   const privateKeyInteger = utils.hexToNumber(privateKey)
 
   let c3 = encryptData.substring(128, 128 + 64)
@@ -87,36 +94,15 @@ export function doDecrypt(encryptData: string, privateKey: string, cipherMode =
   }
 
   const msg = hexToArray(c2)
-  // const c1 = getGlobalCurve().decodePointHex('04' + encryptData.substring(0, 128))!
   const c1 = sm2Curve.ProjectivePoint.fromHex('04' + encryptData.substring(0, 128))!
 
   const p = c1.multiply(privateKeyInteger)
-  // const x2 = hexToArray(leftPad(p.getX().toBigInteger().toRadix(16), 64))
-  // const y2 = hexToArray(leftPad(p.getY().toBigInteger().toRadix(16), 64))
   const x2 = hexToArray(leftPad(utils.numberToHexUnpadded(p.x), 64))
   const y2 = hexToArray(leftPad(utils.numberToHexUnpadded(p.y), 64))
-  let ct = 1
-  let offset = 0
-  let t = new Uint8Array() // 256 位
-  const z = concatArray(x2, y2)
-  const nextT = () => {
-    // (1) Hai = hash(z || ct)
-    // (2) ct++
-    t = sm3(Uint8Array.from([...z, ct >> 24 & 0x00ff, ct >> 16 & 0x00ff, ct >> 8 & 0x00ff, ct & 0x00ff]))
-    ct++
-    offset = 0
-  }
-  nextT() // 先生成 Ha1
-
-  for (let i = 0, len = msg.length; i < len; i++) {
-    // t = Ha1 || Ha2 || Ha3 || Ha4
-    if (offset === t.length) nextT()
 
-    // c2 = msg ^ t
-    msg[i] ^= t[offset++] & 0xff
-  }
+  xorCipherStream(x2, y2, msg)
   // c3 = hash(x2 || msg || y2)
-  const checkC3 = arrayToHex(Array.from(sm3(concatArray(x2, msg, y2))))
+  const checkC3 = arrayToHex(Array.from(sm3(utils.concatBytes(x2, msg, y2))))
 
   if (checkC3 === c3.toLowerCase()) {
     return output === 'array' ? msg : arrayToUtf8(msg)
@@ -166,13 +152,11 @@ export function doSignature(msg: Uint8Array | string, privateKey: string, option
       k = point.k
 
       // r = (e + x1) mod n
-      // r = e.add(point.x1).mod(n)
-      r = mod.mod(e + point.x1, sm2Curve.CURVE.n)
+      r = field.add(e, point.x1)
     } while (r === ZERO || (r + k) === sm2Curve.CURVE.n)
 
     // s = ((1 + dA)^-1 * (k - r * dA)) mod n
-    // s = dA.add(BigInteger.ONE).modInverse(n).multiply(k.subtract(r.multiply(dA))).mod(n)
-    s = mod.mod(mod.invert(dA + ONE, sm2Curve.CURVE.n) * (k - r * dA), sm2Curve.CURVE.n)
+    s = field.mul(field.inv(field.addN(dA, ONE)), field.subN(k, field.mulN(r, dA)))
   } while (s === ZERO)
   if (der) return encodeDer(r, s) // asn.1 der 编码
   return leftPad(utils.numberToHexUnpadded(r), 64) + leftPad(utils.numberToHexUnpadded(s), 64)
@@ -202,30 +186,24 @@ export function doVerifySignature(msg: string | Uint8Array, signHex: string, pub
     r = decodeDerObj.r
     s = decodeDerObj.s
   } else {
-    // r = new BigInteger(signHex.substring(0, 64), 16)
-    // s = new BigInteger(signHex.substring(64), 16)
     r = utils.hexToNumber(signHex.substring(0, 64))
     s = utils.hexToNumber(signHex.substring(64))
   }
   
-  // const PA = curve.decodePointHex(publicKey)!
   const PA = sm2Curve.ProjectivePoint.fromHex(publicKey)!
-  // const e = new BigInteger(hashHex, 16)
   const e = utils.hexToNumber(hashHex)
   
   // t = (r + s) mod n
-  // const t = r.add(s).mod(n)
-  const t = mod.mod(r + s, sm2Curve.CURVE.n)
+  const t = field.add(r, s)
 
   if (t === ZERO) return false
 
   // x1y1 = s * G + t * PA
-  // const x1y1 = G.multiply(s).add(PA.multiply(t))
   const x1y1 = sm2Curve.ProjectivePoint.BASE.multiply(s).add(PA.multiply(t))
 
   // R = (e + x1) mod n
   // const R = e.add(x1y1.getX().toBigInteger()).mod(n)
-  const R = mod.mod(e + x1y1.x, sm2Curve.CURVE.n)
+  const R = field.add(e, x1y1.x)
 
   // return r.equals(R)
   return r === R
@@ -261,10 +239,10 @@ export function getHash(hashHex: string | Uint8Array, publicKey: string, userId
 
   const entl = userId.length * 4
 
-  const z = sm3(concatArray(new Uint8Array([entl >> 8 & 0x00ff, entl & 0x00ff]), data))
+  const z = sm3(utils.concatBytes(new Uint8Array([entl >> 8 & 0x00ff, entl & 0x00ff]), data))
 
   // e = hash(z || msg)
-  return arrayToHex(Array.from(sm3(concatArray(z, typeof hashHex === 'string' ? hexToArray(hashHex) : hashHex))))
+  return bytesToHex(sm3(utils.concatBytes(z, typeof hashHex === 'string' ? hexToArray(hashHex) : hashHex)))
 }
 
 /**
@@ -274,10 +252,6 @@ export function getPublicKeyFromPrivateKey(privateKey: string) {
   const pubKey = sm2Curve.getPublicKey(privateKey, false)
   const pubPad = leftPad(utils.bytesToHex(pubKey), 64)
   return pubPad
-  // const PA = G.multiply(new BigInteger(privateKey, 16))
-  // const x = leftPad(PA.getX().toBigInteger().toString(16), 64)
-  // const y = leftPad(PA.getY().toBigInteger().toString(16), 64)
-  // return '04' + x + y
 }
 
 /**
@@ -285,7 +259,6 @@ export function getPublicKeyFromPrivateKey(privateKey: string) {
  */
 export function getPoint() {
   const keypair = generateKeyPairHex()
-  // const PA = curve.decodePointHex(keypair.publicKey)
   const PA = sm2Curve.ProjectivePoint.fromHex(keypair.publicKey)
   const k = utils.hexToNumber(keypair.privateKey)
 

package/src/sm2/kx.ts

@@ -0,0 +1,80 @@
+import { field, sm2Curve } from './ec';
+import { KeyPair, hexToArray, leftPad } from './utils';
+import * as utils from '@noble/curves/abstract/utils';
+import { sm3 } from './sm3';
+import { EmptyArray } from '.';
+
+
+// 用到的常数
+const wPow2 = utils.hexToNumber('80000000000000000000000000000000')
+const wPow2Sub1 = utils.hexToNumber('7fffffffffffffffffffffffffffffff')
+
+// from sm2 sign part, extracted for code reusable.
+function hkdf(z: Uint8Array, keylen: number) {
+  let msg = new Uint8Array(keylen)
+  let ct = 1
+  let offset = 0
+  let t = EmptyArray
+  const ctShift = new Uint8Array(4)
+  const nextT = () => {
+    // (1) Hai = hash(z || ct)
+    // (2) ct++
+    ctShift[0] = ct >> 24 & 0x00ff
+    ctShift[1] = ct >> 16 & 0x00ff
+    ctShift[2] = ct >> 8 & 0x00ff
+    ctShift[3] = ct & 0x00ff
+    t = sm3(utils.concatBytes(z, ctShift))
+    ct++
+    offset = 0
+  }
+  nextT() // 先生成 Ha1
+
+  for (let i = 0, len = msg.length; i < len; i++) {
+    // t = Ha1 || Ha2 || Ha3 || Ha4
+    if (offset === t.length) nextT()
+
+    // 输出 stream
+    msg[i] = t[offset++] & 0xff
+  }
+  return msg
+}
+
+
+export function calculateSharedKey(
+  keypairA: KeyPair,
+  ephemeralKeypairA: KeyPair,
+  publicKeyB: string,
+  ephemeralPublicKeyB: string,
+  idA: string = '1234567812345678',
+  idB: string = '1234567812345678',
+  sharedKeyLength: number,
+) {
+  const RA = sm2Curve.ProjectivePoint.fromHex(ephemeralKeypairA.publicKey)
+  const RB = sm2Curve.ProjectivePoint.fromHex(ephemeralPublicKeyB)
+  // const PA = sm2Curve.ProjectivePoint.fromHex(keypairA.publicKey) // 用不到
+  const PB = sm2Curve.ProjectivePoint.fromHex(publicKeyB)
+  const ZA = hexToArray(idA)
+  const ZB = hexToArray(idB)
+  const rA = utils.hexToNumber(ephemeralKeypairA.privateKey)
+  const dA = utils.hexToNumber(keypairA.privateKey)
+  // 1.先算 tA
+  const x1 = RA.x
+  // x1_ = 2^w + (x1 & (2^w - 1))
+  const x1_ = field.add(wPow2, (x1 & wPow2Sub1))
+  // tA = (dA + x1b * rA) mod n
+  const tA = field.add(dA, field.mulN(x1_, rA))
+
+  // 2.算 U
+  // x2_ = 2^w + (x2 & (2^w - 1))
+  const x2 = RB.x
+  const x2_ = field.add(wPow2, (x2 & wPow2Sub1))
+  // U = [h * tA](PB + x2_ * RB)
+  const U = RB.multiply(x2_).add(PB).multiply(tA)
+
+  // 3.算 KDF
+  // KA = KDF(xU || yU || ZA || ZB, kLen)
+  const xU = hexToArray(leftPad(utils.numberToHexUnpadded(U.x), 64))
+  const yU = hexToArray(leftPad(utils.numberToHexUnpadded(U.y), 64))
+  const KA = hkdf(utils.concatBytes(xU, yU, ZA, ZB), sharedKeyLength)
+  return KA
+}

package/src/sm2/rng.ts

@@ -0,0 +1,71 @@
+/**
+ * 安全随机数发生器
+ * 如果有原生同步接口，直接使用。否则维护一个随机数池，使用异步接口实现。
+ * Web: webcrypto 原生同步接口
+ * Node: Node v18 之前需要引入 crypto 模块，这里使用异步 import
+ * 小程序：异步接口
+ */
+declare module wx {
+  function getRandomValues(options: {
+    length: number;
+    success: (res: { randomValues: ArrayBuffer }) => void;
+  }): void;
+}
+
+const DEFAULT_PRNG_POOL_SIZE = 16384
+let prngPool = new Uint8Array(0)
+let _syncCrypto: typeof import('crypto')['webcrypto']
+export async function initRNGPool() {
+  if ('crypto' in globalThis) {
+    _syncCrypto = globalThis.crypto
+    return // no need to use pooling
+  }
+  if (prngPool.length > DEFAULT_PRNG_POOL_SIZE / 2) return // there is sufficient number
+  // we always populate full pool size
+  // since numbers may be consumed during micro tasks.
+  if ('wx' in globalThis) {
+    prngPool = await new Promise(r => {
+      wx.getRandomValues({
+        length: DEFAULT_PRNG_POOL_SIZE,
+        success(res) {
+          r(new Uint8Array(res.randomValues));
+        }
+      });
+    });
+  } else {
+    // check if node, use webcrypto if available
+    try {
+      const crypto = await import(/* webpackIgnore: true */ 'crypto');
+      _syncCrypto = crypto.webcrypto
+      const array = new Uint8Array(DEFAULT_PRNG_POOL_SIZE);
+      _syncCrypto.getRandomValues(array);
+      prngPool = array;
+    } catch (error) {
+      throw new Error('no available csprng, abort.');
+    }
+  }
+}
+
+initRNGPool()
+
+function consumePool(length: number): Uint8Array {
+  if (prngPool.length > length) {
+    const prng = prngPool.slice(0, length)
+    prngPool = prngPool.slice(length)
+    initRNGPool()
+    return prng
+  } else {
+    throw new Error('random number pool is not ready or insufficient, prevent getting too long random values or too often.')
+  }
+}
+
+export function randomBytes(length = 0): Uint8Array {
+  const array = new Uint8Array(length);
+  if (_syncCrypto) {
+    return _syncCrypto.getRandomValues(array);
+  } else {
+    // no sync crypto available, use async pool
+    const result = consumePool(length)
+    return result
+  }
+}